--- file-5.18/src/cdf.c.orig 2014-02-27 18:26:17.000000000 -0500 +++ file-5.18/src/cdf.c 2014-06-02 13:20:59.174852051 -0400 @@ -352,10 +352,10 @@ cdf_read_short_sector(const cdf_stream_t size_t ss = CDF_SHORT_SEC_SIZE(h); size_t pos = CDF_SHORT_SEC_POS(h, id); assert(ss == len); - if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { + if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", - pos, CDF_SEC_SIZE(h) * sst->sst_len)); + pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); return -1; } (void)memcpy(((char *)buf) + offs, @@ -472,6 +472,11 @@ cdf_count_chain(const cdf_sat_t *sat, cd } sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); } + if (i == 0) { + DPRINTF((" none, sid: %d\n", sid)); + return (size_t)-1; + + } DPRINTF(("\n")); return i; } @@ -813,6 +827,10 @@ cdf_read_property_info(const cdf_stream_ i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_GETUINT32(q, 1); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; @@ -887,7 +905,9 @@ cdf_read_property_info(const cdf_stream_ } DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", nelements)); - for (j = 0; j < nelements; j++, i++) { + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { uint32_t l = CDF_GETUINT32(q, o); inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = (const char *) @@ -932,7 +952,7 @@ int cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) { - size_t i, maxcount; + size_t maxcount; const cdf_summary_info_header_t *si = CAST(const cdf_summary_info_header_t *, sst->sst_tab); const cdf_section_declaration_t *sd = @@ -947,21 +967,13 @@ cdf_unpack_summary_info(const cdf_stream ssi->si_os = CDF_TOLE2(si->si_os); ssi->si_class = si->si_class; cdf_swap_class(&ssi->si_class); - ssi->si_count = CDF_TOLE2(si->si_count); + ssi->si_count = CDF_TOLE4(si->si_count); *count = 0; maxcount = 0; *info = NULL; - for (i = 0; i < CDF_TOLE4(si->si_count); i++) { - if (i >= CDF_LOOP_LIMIT) { - DPRINTF(("Unpack summary info loop limit")); - errno = EFTYPE; - return -1; - } - if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), - info, count, &maxcount) == -1) { - return -1; - } - } + if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info, + count, &maxcount) == -1) + return -1; return 0; } --- file-5.18/src/readcdf.c.orig 2014-03-26 11:28:34.000000000 -0400 +++ file-5.18/src/readcdf.c 2014-06-02 13:21:15.634916277 -0400 @@ -173,12 +180,11 @@ cdf_file_property_info(struct magic_set if (info[i].pi_type == CDF_LENGTH32_WSTRING) k++; s = info[i].pi_str.s_buf; - for (j = 0; j < sizeof(vbuf) && len--; - j++, s += k) { + for (j = 0; j < sizeof(vbuf) && len--; s += k) { if (*s == '\0') break; if (isprint((unsigned char)*s)) - vbuf[j] = *s; + vbuf[j++] = *s; } if (j == sizeof(vbuf)) --j;